[madamelic]

>develop your own system to collect data and payment so it can be more secure and a more consistent experience with the rest of the website.

I was really concerned when I saw this (I thought you were asking them to not use Stripe or PayPal), but I strongly concur. Using Typeform for collecting credit cards is an extreme violation of PCI-DSS.

You need to pull down your site immediately and don't put it back up until you aren't running cards through Typeform.

I am normally very loose with rules and I know validating is hard, but you are exposing yourself to major financial implications by doing this.

EDIT: Spoke too soon. Looks like they are properly exchanging info for a token and not passing info to Typeform, just the token.